The IOMMU (also known VT-D on intel or IOV on AMD) is essentially a firewall for PCIE devices. This feature allows dom0 to lock a pcie device to a particular Qube, and so prevent it from accessing or modifying the rest of the system. This helps prevent against DMA attacks aka FireWire attacks, in which an insecure protocol allows a remote machine to simply modify system memory. It also protects against vulnerabilities in device firmware allowing one process from using the more privileged position of a Pci-E device to launch attacks on the rest of the system. This is the basis of the protection provided by sys-net and sys-usb.
PV vs. PVH vs. HVM
PV/PVH/HVM are all different virtual machine modes. HVM includes emulated device drivers via Qemu
- doesn't support pcie passthrough currently, although it's apparently coming in a newer version of Xen.
- doesn't include emulated devices via Qemu, which reduces the attack surface within the vm
- is generally the best type for
- doesn't support the IOMMU, which opens up significantly more attack surface if you use it.
- has the widest hardware support, as you can think of it as "emulating visualization" in software instead of using hardware assistance.
- does support PCI passthrough and the IOMMU, and so should be used for sys-net/sys-usb, etc.
- includes emulated devices via Qemu, which does increase the attack surface within the vm
- has the widest guest support, as even guests without xen support will boot and run using the emulated drivers.